This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark opening vs exporting performance

0

Hi,

In wireshark opening a pcap and displaying some IE is much faster than exporting the very same info. What is the difference? Tshark export is also slow.

Thanks PeterK

asked 08 Dec '14, 08:26

PeterK's gravatar image

PeterK
11223
accept rate: 0%

some questions:

  • what is your OS and OS version
  • what is you Wireshark version
  • do you read/write from/to a local file system or a network share
  • how do you define "much faster"?
  • can you provice a sample capture file that shows that effect
(08 Dec '14, 11:20) Kurt Knochner ♦

Hi Kurt,

The following config is used: -Windows Server 2003 R2 Enterprise x64 SP2 -WS 1.12.0 (v1.12.0-0-g4fab41a from master-1.12) -Everything is processed locally -Opening in Wireshark takes 10 sec, exporting/tshark takes 60 sec -It is LTE S1 capture and unfortunatelly not authorised to share it publicly

I think the 1:6 speed difference is interesting. What I noticed that exporting/Tshark does not care how many IE gets exported, 1 or 100 it is the same speed. The Tshark command line is like this:

tshark.exe -n -r "s1_pcap" -2 -d sctp.ppi==18,s1ap -R "s1ap" -e frame.time_epoch -e ip.src -e ip.dst -e s1ap.procedureCode -e s1ap.tAC -e s1ap.cell_ID ...
-T fields -E separator=/t -E quote=n -E header=y -E occurrence=a >"s1_csv"

Thank you, Peter

(09 Dec '14, 00:18) PeterK

If Wireshark is all ready started all the initialasions are allready done. Tshark has to do that before starting to read the file. How long does it take Wireshark to load the file if you start it from the command line? wireshark.exe "s1_pcap" or wireshark.exe -R "s1ap"

(09 Dec '14, 00:41) Anders ♦

Hi Anders,

In fact it is the same time, becuase I am opening the capture via extension assocation, so Wireshark starts from scratch. Just realised that talking about pcapng not pcap if that makes any difference...

Best regards, Peter

(09 Dec '14, 06:41) PeterK

Then it might be the filtering, try starting WS from the command line with the filter...

(09 Dec '14, 07:19) Anders ♦

One Answer:

0

realised that talking about pcapng not pcap if that makes any difference.

It probably makes a difference. pcapng files are compressed while pcap is not.

My experience is, that reading a compressed file (not necessarily pcapng) is usually way faster than writing/creating a compressed file, especially if the files are large enough the experience any delay.

I'm not sure if that's the same for all compression algortihms, but it's certainly true for some of them.

My test with 7-Zip shows a factor of ~3 between compression (13 seconds) and decompression (4 seconds) of the same file. The test was repeated several times to eliminate file system caching.

Regards
Kurt

answered 09 Dec '14, 07:12

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 09 Dec '14, 07:14

Pcap-ng files are not compressed by default.

(09 Dec '14, 07:17) Anders ♦

I thought they were, but you are right, they are not.

Strange, who/what planted that idea into my mind?

(09 Dec '14, 07:38) Kurt Knochner ♦